Online Security

Critical SaltStack Vulnerability Affects Thousands Of Datacentres

Critical vulnerabilities in the Salt remote task and configuration framework enable hackers to take control of cloud servers and must be patched right away

Critical SaltStack Vulnerability Affects Thousands Of Datacentres

Critical SaltStack Vulnerability Affects Thousands Of Datacentres

Critical vulnerabilities in the Salt remote task and configuration framework enable hackers to take control of cloud servers and must be patched right away. Two severe security flaws have been discovered in the open-source SaltStack Sat configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments.

Salt management framework developed by SaltStack is a configuration tool used to monitor and update servers in datacenters and cloud environments. Multiple critical vulnerabilities with Salt let attackers retrieve user tokens from the salt-master and/or run arbitrary commands on salt minions.

“We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours. Due to the reliability and simplicity of exploitation, F-Secure will not be providing proof-of-concept exploit code.”

SaltStack Salt Vulnerabilities

Security researchers from F-Secure researchers discovered the vulnerability with 2019.2.4 and 3000 versions.

The vulnerabilities allow a remote attacker who connects to the request server can bypass all authentication mechanisms and publish arbitrary control messages, read and write files anywhere on the master file system.

Attackers can also steal the secret keys and authenticate as a master user, results in “full remote command execution as root on both the master and all minions that connect to it.”

The vulnerabilities allow a remote attacker who connects to the request server can bypass all authentication mechanisms and publish arbitrary control messages, read and write files anywhere on the master file system.

“I was expecting the number to be a lot lower. There are not many reasons to expose infrastructure management systems, which is what a lot of companies use Salt for, to the internet,” he explained.

“When new vulnerabilities go public, attackers always race to exploit exposed, vulnerable hosts before admins patch or hide them. So if I were running one of these 6,000 masters, I wouldn’t feel comfortable leaving work for the weekend knowing it’s a target.”

Salt is used in infrastructure, network and security automation solutions and is widely used to maintain datacentres and cloud environments. The framework comprises a ‘master’ server acting as a central repository, with control over ‘minion’ agents that carry out tasks and collect data.

The two vulnerabilities, which are assigned designations CVE-2020-11651 and CVE-2020-11652, were uncovered by F-Secure researchers in March 2020 while working on a client engagement.

They affect all versions of Salt up to 3000.1, and are considered so severe that they carry a Common Vulnerability Scoring System (CVSS) rating of 10, the highest possible.

Successfully exploited, they enable attackers to execute code remotely with root privileges on Salt master repositories, meaning they could, for example install backdoors into systems, carry out ransomware attacks, or take over systems to mine cryptocurrencies. F-Secure said it had already found 6,000 such repositories openly vulnerable on the public internet.

The researchers warned that the flaws could be exploited in the wild imminently. SaltStack is also urging users to follow the best practices to secure the Salt environment.

Vulnerabilities in ZeroMQ Protocol:

Salt is a powerful Python-based automation and remote execution engine that’s designed to allow users to issue commands to multiple machines directly.

Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a “master” node that deploys the changes to a target group of “minions” (e.g., servers) en masse.

The communication between a master and minion occurs over the ZeroMQ message bus. Additionally, the master uses two ZeroMQ channels, a “request server” to which minions report the execution results and a “publish server,” where the master publishes messages that the minions can connect and subscribe to.

According to F-Secure researchers, the pair of flaws reside within the tool’s ZeroMQ protocol. the researchers said:

“The vulnerabilities described in this advisory allow an attacker who can connect to the ‘request server’ port to bypass all authentication and authorization controls and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,”

Segerdahl said that looking on the bright side, he had found no evidence or reports of anyone exploiting the vulnerabilities in real-world attacks although it is very important to note that following disclosure this will likely change in short order.

F-Secure pointed out that any reasonably competent hacker should be able to create a 100% reliable exploit for the vulnerabilities within the next 24 hours – due to this, the firm has not provided any proof-of-concept exploit code, as this risks harming Salt users who are slow to patch.

It’s highly recommended that Salt users update the software packages to the latest version.

Rate This And Share:

0 / 5
Tags
Back to top button
Do NOT follow this link or you will be banned from the site!
Close
Send this to a friend